2023-02-21发表2023-10-28更新Research10 分钟读完 (大约1538个字)

基于OpenBTS的GSM短信基站实验

中文：基于OpenBTS的GSM短信基站实验

⚠警告⚠声明

仅供学习交流！严禁将此技术用于非法途径！违者后果自负！

搭建教程已略（网上一搜一大把），这是一篇长坑，后面会慢慢补，因为我不是通信专业的，所以有些地方写的不好还请见谅

Pre

Ubuntu 20.04.03 (LTS)
a53
osmocom-bb
- 需配置arm交叉编译环境
libosmocore
libosmo-dsp
libtalloc-dev (lib talloc)
OpenBTS 2.8p

osmocom-bb分支详情请查看，Branches - OsmocomBB - Open Source Mobile Communications

这里选用 sylvain/testing

It is possible to turn Calypso based phone into a small BTS. The transceiver application and corresponding firmware should be used in OpenBTS or OsmoBTS setup. See CalypsoBTS for details.

osmocom-bb需要的依赖

libtalloc-dev libtirpc-dev libfftw3-3 libfftw3-dev libfftw3-doc autoconf libtool libosip2-dev libortp-dev libusb-1.0-0-dev g++ sqlite3 libsqlite3-dev erlang libreadline6-dev libncurses5-dev libtool shtool autoconf git-core pkg-config make gcc libpcsclite-dev gnutls-dev libmnl-dev libsctp-dev

如果爆出下面错误

/root/gsm_openbts/osmocom-bb/src/target/firmware/include/stdint.h:32:23: error: conflicting types for ‘int64_t’    32 | typedef long long int int64_t;       |                       ^~~~~~~ In file included from /usr/include/stdint.h:34,                  from /usr/lib/gcc/x86_64-linux-gnu/9/include/stdint.h:9,                  from /root/gsm_openbts/osmocom-bb/src/target/firmware/include/stdint.h:19,                  from ../../include/osmocom/core/signal.h:4,                  from ../../src/signal.c:21: /usr/include/x86_64-linux-gnu/bits/stdint-intn.h:27:19: note: previous declaration of ‘int64_t’ was here    27 | typedef __int64_t int64_t;       |                   ^~~~~~~ In file included from ../../include/osmocom/core/signal.h:4,                  from ../../src/signal.c:21: /root/gsm_openbts/osmocom-bb/src/target/firmware/include/stdint.h:33:32: error: conflicting types for ‘uint64_t’

打开 osmocom-bb/src/target/firmware/include/stdint.h 如下图进行修改

修改好了后 ./configure 然后 make 即可

具体就是搭建arm交叉编译环境，编译libosmocore和libosmo-dsp，然后搭个OpenBTS。

伪基站原理简单来说就是不法分子通过黑产设备模拟了附近基站的信号，通过劫持IMEI（国际移动用户识别码）等信息就可以通过手机IMEI展开一系列的攻击。

让BTS支持发送中文消息

参考Axelle Apvrille写的论文 “OpenBTS for dummies”

OpenBTS默认是不支持发送中文的，如果硬发会爆出乱码

如果想要让OpenBTS发送中文，必须自己修改源代码，打开文件/OpenBTS/CLI/CLI.cpp，添加

https://github.com/fairwaves/openbts-2.8/commit/faf14b0e9ad4673b64d28e2038bdab90d69fcefb

/** Submit an SMS for delivery to an IMSI. */
int sendsmspdu(int argc, char** argv, ostream& os)
{
	if (argc<4) return BAD_NUM_ARGS;

	char *IMSI = argv[1];
	char *srcAddr = argv[2];
	string rest = "";
	for (int i=3; i<argc; i++) rest = rest + argv[i]; //+ " ";
	const char *txtBuf = rest.c_str();

	if (!isIMSI(IMSI)) {
		os << "Invalid IMSI. Enter 15 digits only."; return BAD_VALUE; } Control::TransactionEntry *transaction = new Control::TransactionEntry( gConfig.getStr("SIP.Proxy.SMS").c_str(), GSM::L3MobileIdentity(IMSI), NULL, GSM::L3CMServiceType::MobileTerminatedShortMessage, GSM::L3CallingPartyBCDNumber(srcAddr), GSM::Paging, txtBuf); transaction->messageType("application/vnd.3gpp.sms");
	Control::initiateMTTransaction(transaction,GSM::SDCCHType,30000);
	os << "message submitted for delivery" << endl;
	return SUCCESS;
}

和

1	addCommand("sendsmspdu", sendsmspdu, "IMSI src# PDU message... -- send PDU SMS to IMSI, addressed from source number src#.");

之后写个简单的 pdu 脚本就行了，可以参考 python-smspdu 进行修改

This sends an SMS to IMSI 208304424439206, from 24567, with text ”Test”.
Finally, it is also possible to have phone send SMS to each other:

Register the phone. This step must be done if you get this error in smqueue logs (and the corresponding
SMS on your phone):

如何防御

发现手机被降频时立马关掉移动网络，如网络显示OpenBTS或者GSM（G网），要及时更换环境，重新连接附近的基站
启用2FA

对遗留日志的取证分析

样本名：2016.log

MD5：61aa4478bb128f8ea6736e09f26c4f24

Size: 538 MB (564,635,221 Bytes)

样本数据

Jun  4 06:25:23 ubuntu openbts: INFO 3075847888 OpenBTS.cpp:483:main: received command "addsms 1401834316 10651086117 0101111001111000011110011000111101010001011101100101101110011110010111111000100001111011100000000101001101010101111111110001101001010011111000110110111000110100010011101000011001010101100111010110011101101111011011000011010001101101101001100110110110100110010101011000100111111111000011000111000011100110011000000111110001100101111101100101010000101100010101000010110010010111111100110100111001010000100011110111101110001111011110110110011101111110111111110000110001110101101100100101000000100110011001011111011001010111001010000110100100000101010011100000101001100010010100110100111000101010011101101111100111111111000011000101101110001001100101110101100110010001110011000110001011111111100011010111011101100010010010110110011100111010010100111101000101100111011000010111011111101101010011111110000101100011110100001001000110010010010011110110000011111111000110100101100100101001010011101010111001001110100001101111111100001100010110010111110110001101011101110101111010001010010011101000011011111111000000010111100101011101010011110110000001101011110011110101100100101001010110010111110101011111110000110110000011000101" from

根据网上公开系统的加密代码，逆向编写解密脚本。

<?php
function decode($s)
{
    $l = strlen($s);
    if ($l % 16 != 0)
        return '';
    $s = str_base_convert($s, 2, 16);
    $s = hex2bin($s);
    $s = mb_convert_encoding($s, 'UTF-8', 'UCS-2');
    return $s;
}

数据一

0101111001111000011110011000111101010001011101100101101110011110010111111000100001111011100000000101001101010101111111110001101001010011111000110110111000110100010011101000011001010101100111010110011101101111011011000011010001101101101001100110110110100110010101011000100111111111000011000111000011100110011000000111110001100101111101100101010000101100010101000010110010010111111100110100111001010000100011110111101110001111011110110110011101111110111111110000110001110101101100100101000000100110011001011111011001010111001010000110100100000101010011100000101001100010010100110100111000101010011101101111100111111111000011000101101110001001100101110101100110010001110011000110001011111111100011010111011101100010010010110110011100111010010100111101000101100111011000010111011111101101010011111110000101100011110100001001000110010010010011110110000011111111000110100101100100101001010011101010111001001110100001101111111100001100010110010111110110001101011101110101111010001010010011101000011011111111000000010111100101011101010011110110000001101011110011110101100100101001010110010111110101011111110000110110000011000101

解码后

幸福其实很简单：口渴了喝杯水润润喉，烦恼时听听音乐轻轻松，疲倦时在椅上打个盹，安静里拿起手机发条短信提醒你：天亮了，好起床了！祝你每天好心情

数据二

1000110110000101010111100000001001100101001101101001010011110110011111001111101101111110110111111111111100001100100010011110011001011100010011111001100100010000100110010110111001110000101110011000001111011100011111001111101101111110110111111111111100001100011101010001110001010100110000010101100101110110100000110011011001100101001101101001010011110110100010111011111001011001000001111111111100001100011001110000100101010001011100110110010100110110100101001111011001110110100001001001010111101110100110001001100001101011001000101000111111001110010101001010100010001011111000100110010100110110100101001111011001001110000100110101101110110110000000000011000100000000001101010000000000110110000000000011000000000000001101010000000000111000000000000011100000000000001110000000000000110101000000000011001000000000001100010101000101101000010110010101011110001011101111100101100100000111010100011110110101110111111011010100111111100001011100100111100101001110111101110000000000110010000000000011011000000000001100000000000000110000010101000010101110001111110110111001010100000000010110110101100001111011101000010111010000000110

解码后

超市收银系统，触屏餐饮点菜系统，甜品奶茶收银设备，有关收银的问题欢迎咨询收银专家156***521（已码）全套设备凭短信特价2600含进销存管理

数据三

解码后

超市收银系统，触屏餐饮点菜系统，甜品奶茶收银设备，有关收银的问题欢迎咨询收银专家156***21全套设备凭短信特价2600含进销存管理

数据三

01110101000111110101010001111101010110011000001001101100101100111111111100001100011101010010100001011111111010110100111001010000011001000100011001101110001000011111111100011011010011101011101001110101000111110101100110000010011010110100110011111111000011000111010100101000011010001010011001100000111100110101010000011111010101010011000111111111000110110110010111100101010110110101000001011001100000100101110001110001111111110000110001110101001010000101001010101010010100101001101101100101000000000111011001111011111111110001101101011100100000010110011100001000010110011000001001100010000011111111111100001100011101010010100001110111000111110101111111000011011011110001010001111110110011101111111100011011011000100001000001010010100111110101100110000010010100010100100111111111000011000111010100101000010011101101100001010001111110101001000111000111011001000101100011111111000110110101001111001011011000001100010101011001100000100110100000010001111111110000110001110101001010000111011100011111100010111101101001010100011101010110001010100100001100000000001001011110001110000110000001101000011001110000100001101110111000010101001000011001010011101000111110000010101100010110111011100001010100100001100101010001110010111111111100001100010011110101010101011111110001010101100100101010100011111100011110001011101000011000111110000011001100000000001001110101001010000101011101100110100000110110000101110110100001000101111111000011111111110000110010001101011100000101111001111000011110011000111101110110100001001000110111101111111111110000110001100001001111110100111101100000010111111110101101001110010100000110001111100001010101110010100001100010010010111111111100001100010110010111110110001111110100001000111010101011100011111011100101110101010110011111111100001100010111100111100001111001100011110111011011111000010011110011010010001101011100001111111100000001

解码后

生命如河，用快乐摆渡；人生如歌，用梦想吟唱；日子如山，用努力攀登；岁月如戏，用真心演绎；成功如光，用付出采摘；友情如树，用真诚呵护。常恨月满则亏花满则凋，何必太过计较。用坦荡的心，走幸福的路，愿你快乐握在手，好运身边留，幸福相伴走！

数据四

01110011110011010110000011011100010011101000011011111111000011001000000011111101011000101110010101100111000010011111111100011011010011101101100001010001111110100100111010000110111111110000110001100111000010010101011011011110011000101010010111111111000110111000110101110000100011111100011101001110100001101111111100001100010011100000110101010100000011100110000010010100001100000000001001100111000010110101001111001011111111110000110001100001001111110100111101100000100011010111000001011001011111010111010100011111010101000111110101110110100001000110101111001111010011100000000001101011011001011111111100001100010111100111100001111001100011110101111111101011010011100101000001101011110011110100111000000000010110010010100111111111000000010100111000001101011001100010111101101011110011111000111101101110100000100111001110010110001100111001000011111101011001101001011001001110101110101111111100001100010011100000110101100110001011110110101111001111011100100100011101001110010011000100111010010001100100001111110101001110000010111001011011101000111111110000110001100101111000100111000100110110010100011011001101011011100110100100111000001101010011101000011001010100011111011000111111010000011101101000010001010011101110110101010000010001111111110000110010010000101000110101110000110001100011100000111110001110000011110101101110011110010110111001111001010111001100001000110101110000010110010111110101101011110011110100111000000000010110010010100111111111000011001000101111110111011101101111100001001111111000011111111100011010011000100001000101110110100001000111100101011101011110011000111101100110001011110110011100000000011101110001111101110110100001001111111100000001

解码后

珍惜了，能拥有；付出了，有回报；走过了，不后悔。朋友，愿你走好生命的每一步，幸福快乐每一天！不是每轮艳阳都暖人，不是每片乌云都下雨，既然决定不了命运的去向，那就踏踏实实地走好每一天，请相信：我的祝福是最真的！

数据五

10001011110110100100111010100100010100110101010110001110101010110101100101110011010110001110101111111111000011000000000000110010000000000011000000000000001011010000000000110011000000000011010101011100100000011111111100001100000000000101000100000000010100010000000000110011000000000011001000000000001101100000000000110101000000000011100100000000001110000000000000111000000000000011100100000000001101100000000000100000

解码后

诚交单身女士，20-35岁，QQ3*****

数据六

010011101100101001011001001010011001011000110101100101101110100000000000001000000000000000110010000000000011000111111111010111100000000000110010000000000011100000100001000000111111111100001100100110001100111001010010100110111111111100011010100010010111111101010011010101111001100011001110000000000011001001111110101001111111111100001100011011100111111101011110101001101111111100011010000000000011100100000000001100000000000000100101111111110000110010010110010011010110110000110100011010011000001001110011100001111111111100011010000000000011011100000000001100000000000000100101001100000000001001100110000011100101100100101001010011100010110110010110111010001111111100001100000000000011001000000000001100100000000000101101000000000011001000000000001101010010000100000011100110001100111001010010100110111111111100011010010011100001110001010011010101111001100011001110010111111010111010011000110011100000000000100000

解码后

今天阵雨 21～28℃，风力：西南风2级，湿度：90%，降水概率：70%。明天中雨，22-25℃风力：东南风微风

Reference

基于OpenBTS的GSM短信基站实验

https://iloli.moe/2023/02/21/基于OpenBTS的GSM短信基站实验/

作者

IceCliffs

发布于

2023-02-21

更新于

2023-10-28

许可协议

基于OpenBTS的GSM短信基站实验

Pre

如何防御

对遗留日志的取证分析

数据一

数据二

数据三

数据三

数据四

数据五

数据六

Reference

作者

发布于

更新于

许可协议

喜欢这篇文章？打赏一下作者吧

评论

链接

归档

目录

分类

最新文章

标签